feat: pgedge 4.0.10-4 images (#29)

jason-lynch · web-flow · commit 183aadc043e3 · 2025-06-02T15:45:34.000-04:00
- Updates the minor versions for all supported Postgres versions
- Changes the Patroni installation method from `dnf` to `pip` to resolve
  several High and Medium CVEs
diff --git a/changes/unreleased/Security-20250602-142004.yaml b/changes/unreleased/Security-20250602-142004.yaml
@@ -0,0 +1,3 @@
+kind: Security
+body: Updated `pgedge` images to 4.0.10-4
+time: 2025-06-02T14:20:04.481947-04:00
diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -60,7 +60,7 @@ target "pgedge" {
   context = "docker/pgedge"
   matrix = {
     pg_version = ["15", "16", "17"],
-    image_version = ["4.0.10-3"]
+    image_version = ["4.0.10-4"]
   }
   name = replace("pgedge-${pg_version}-${image_version}", ".", "_")
   tags = pgedge_tags(PGEDGE_IMAGE_REPO, pg_version, image_version)
diff --git a/docker/pgedge/CHANGELOG.md b/docker/pgedge/CHANGELOG.md
@@ -2,6 +2,29 @@
 
 ## Unreleased
 
+## [4.0.10-4] - 2025-05-08
+
+### Changed
+
+#### pg15 variant
+
+- Upgraded to PostgreSQL 15.13-1
+
+#### pg16 variant
+
+- Upgraded to PostgreSQL 16.9-2
+
+#### pg17 variant
+
+- Upgraded to PostgreSQL 17.5-2
+
+#### All variants
+
+- Install Patroni from `pip` instead of with system package manager
+  - The system package manager provides outdated Python dependencies that
+    contain several Medium and High CVEs. Installing from `pip` gives us the
+    latest compatible package versions and resolves the CVEs.
+
 ## [4.0.10-3] - 2025-03-20
 
 ### Changed
diff --git a/docker/pgedge/Dockerfile b/docker/pgedge/Dockerfile
@@ -27,7 +27,7 @@ dnf install -y epel-release dnf
 dnf config-manager --set-enabled crb
 dnf update -y --allowerasing
 xargs dnf install -y < /usr/share/pgedge/packages.txt
-pip install 'python-json-logger==3.2.1'
+pip install 'patroni[etcd,jsonlogger]==4.0.5'
 dnf remove -y python3-pip
 dnf clean all
 
@@ -38,4 +38,4 @@ USER postgres
 ENV PG_MAJOR=${POSTGRES_VERSION}
 ENV PATH=$PATH:/usr/pgsql-${POSTGRES_VERSION}/bin
 
-ENTRYPOINT ["/usr/bin/patroni"]
+ENTRYPOINT ["/usr/local/bin/patroni"]
diff --git a/docker/pgedge/packagelists/pg15_4.0.10-4.txt b/docker/pgedge/packagelists/pg15_4.0.10-4.txt
@@ -1,10 +1,9 @@
-postgresql15-server-15.12-1PGDG.rhel9
+postgresql15-server-15.13-1PGDG.rhel9
 spock_15-4.0.10-1PGDG.rhel9
 snowflake_15-2.2-1PGDG.rhel9
 lolor_15-1.2-1PGDG.rhel9
 postgis35_15-3.5.2-1PGDG.rhel9
 pgvector_15-0.8.0-1PGDG.rhel9
+pgbackrest-2.55.1-1PGDG.rhel9
 python3-pip-21.3.1-1.el9
-patroni-4.0.5-1PGDG.rhel9
-patroni-etcd-4.0.5-1PGDG.rhel9
-pgbackrest-2.54.2-1PGDG.rhel9
+python3-psycopg2-2.9.10-1PGDG.rhel9
diff --git a/docker/pgedge/packagelists/pg16_4.0.10-4.txt b/docker/pgedge/packagelists/pg16_4.0.10-4.txt
@@ -1,10 +1,9 @@
-postgresql16-server-16.8-1PGDG.rhel9
+postgresql16-server-16.9-2PGDG.rhel9
 spock_16-4.0.10-1PGDG.rhel9
 snowflake_16-2.2-1PGDG.rhel9
 lolor_16-1.2-1PGDG.rhel9
 postgis35_16-3.5.2-1PGDG.rhel9
 pgvector_16-0.8.0-1PGDG.rhel9
+pgbackrest-2.55.1-1PGDG.rhel9
 python3-pip-21.3.1-1.el9
-patroni-4.0.5-1PGDG.rhel9
-patroni-etcd-4.0.5-1PGDG.rhel9
-pgbackrest-2.54.2-1PGDG.rhel9
+python3-psycopg2-2.9.10-1PGDG.rhel9
diff --git a/docker/pgedge/packagelists/pg17_4.0.10-3.txt b/docker/pgedge/packagelists/pg17_4.0.10-3.txt
diff --git a/docker/pgedge/packagelists/pg17_4.0.10-4.txt b/docker/pgedge/packagelists/pg17_4.0.10-4.txt
@@ -0,0 +1,9 @@
+postgresql17-server-17.5-2PGDG.rhel9
+spock_17-4.0.10-1PGDG.rhel9
+snowflake_17-2.2-1PGDG.rhel9
+lolor_17-1.2-1PGDG.rhel9
+postgis35_17-3.5.3-1PGDG.rhel9
+pgvector_17-0.8.0-1PGDG.rhel9
+pgbackrest-2.55.1-1PGDG.rhel9
+python3-pip-21.3.1-1.el9
+python3-psycopg2-2.9.10-1PGDG.rhel9
diff --git a/server/internal/orchestrator/swarm/orchestrator.go b/server/internal/orchestrator/swarm/orchestrator.go
@@ -137,11 +137,11 @@ func GetImages(cfg config.Config, version *host.PgEdgeVersion) (*Images, error)
 	var tag string
 	switch version.PostgresVersion.Major() {
 	case 17:
-		tag = "pgedge:pg17_4.0.10-3"
+		tag = "pgedge:pg17_4.0.10-4"
 	case 16:
-		tag = "pgedge:pg16_4.0.10-3"
+		tag = "pgedge:pg16_4.0.10-4"
 	case 15:
-		tag = "pgedge:pg15_4.0.10-3"
+		tag = "pgedge:pg15_4.0.10-4"
 	default:
 		return nil, fmt.Errorf("unsupported postgres version: %q", version.PostgresVersion)
 	}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+kind: Security`
	`2`	+body: Updated `pgedge` images to 4.0.10-4
	`3`	`+time: 2025-06-02T14:20:04.481947-04:00`
Original file line number	Diff line number	Diff line change
`@@ -60,7 +60,7 @@ target "pgedge" {`
`60`	`60`	`context = "docker/pgedge"`
`61`	`61`	`matrix = {`
`62`	`62`	`pg_version = ["15", "16", "17"],`
`63`		`- image_version = ["4.0.10-3"]`
	`63`	`+ image_version = ["4.0.10-4"]`
`64`	`64`	`}`
`65`	`65`	`name = replace("pgedge-${pg_version}-${image_version}", ".", "_")`
`66`	`66`	`tags = pgedge_tags(PGEDGE_IMAGE_REPO, pg_version, image_version)`